tag:www.schneier.com,2015:/blog//2/tag:www.schneier.com,2009:/blog//2.3158-2015-07-23T13:27:56ZComments for Using Fake Documents to Get a Valid U.S. PassportA blog covering security and security technology.Movable Typetag:www.schneier.com,2009:/blog//2.3158-comment:404922Comment from Billy on 2009-12-30Billy
Exactly how does holding a real passport make you NOT a terrorist?

I don't know about the rest of you, but I don't care WHO else is with me on a plane. I care that none of them were allowed on with bombs, and that there are "enough" trusted people carrying guns to thwart a hijacking. The names and identities of ANYONE are irrelevant except perhaps positively identifying the people allowed on to the plane with loaded weapons. Anyone else should be able to board anonymously as long as they have paid for their ticket.

]]>
2009-12-30T07:59:28Z2009-12-30T07:59:28Ztag:www.schneier.com,2009:/blog//2.3158-comment:403752Comment from Hal O'Brien on 2009-12-21Hal O'Brien
One thing that didn't get raised here, and might be useful:

Most modern ID schemes will have some sort of back door, because of law enforcement wanting to do undercover work, witness protection programs, etc.

If an ID really was seamless, then those things would no longer be possible.

If a back door *does* exist, then it can be exploited, though human means as well as technological.

As Bruce says, All security is a tradeoff.

]]>
2009-12-21T23:24:13Z2009-12-21T23:24:13Ztag:www.schneier.com,2009:/blog//2.3158-comment:402592Comment from Jim A on 2009-12-11Jim A
It is important to keep in mind that in any system of ID that is intended to be universal, a big problem is dealing with exceptions. A system that is 99% accurate isn't much use if 00.75% consists of scammers and fraudsters. People are still born outside of hospitals. Heck, my grandmother had two birth certificates, dated a year apart and with slightly different names. A friend of mine's mother in law had some real difficulties getting a copy of her birth certificate while in France because after she emmigrated to the U.S. she married and changed her last name. And of course the local U.S. county clerk never sent paper work to the arondisment of her birth notifying them of her name change. No procedure like that exists in the U.S. The French bureaucrats kept saying that they couldn't give her a copy of her birth certificate, since they had received no notification of her name change. The sysem ground to a halt because nobody knew how to deal with this exception to normal procedure.

If you ignore the neccessity for waivers and exceptions or make them too difficult to obtain, you deny people the rights/services that they are entitled to. But people who want to commit fraud will quickly find and exploit any waiver system that too easy to get.

In Switzerland you have to present a birth certificate, which is only issued once by your community of origin, to get your first passport. For any subsequent new one, you only have to present your formerly expired passport document. Which I did to get my current one, in which they did manage to inverse my two additional first names. I only hope this will never cause any confusion or even less amusing disagreement.

Were I to present my original birth certificate, I'd be screwed since I lost that document somewhere over time and this equals my very non-existence wrt to officials. Except for paying taxes and the like, of course. :(

"The people who pushed this through are
(1) bureaucrats who want to expand their departments,
(2) lobbyists for the companies who will get the govt contracts,
(3) pols and bureaucrats who saw a chance to increase their power over the peons."

You missed the one subtal but important motivation that makes the whole work.

Kickback from those who fund step 2,

It comes in two forms

1, Kickback into Party Political Funds.
2, Kickback as personal enrichment of pols and bureaucrats.

Kickback comes way further up the list than your (3) in their greedy litle porcine minds.

]]>
2009-12-10T13:41:00Z2009-12-10T13:41:00Ztag:www.schneier.com,2009:/blog//2.3158-comment:402410Comment from Nostromo on 2009-12-10Nostromo
I think Bruce, and many of the responders, are missing the point of biometric passports.

Of course it's obvious that any competent Al Qaeda operative, foreign agent, well-funded criminal, etc will easily be able to get one (or more) of these. Pointing this out is a waste of time, it's irrelevant.

The people who pushed this through are (1) bureaucrats who want to expand their departments, (2) lobbyists for the companies who will get the govt contracts, (3) pols and bureaucrats who saw a chance to increase their power over the peons.

Introduction of biometric passports will further the interests of (1)-(3) above. Mission accomplished, case closed.

]]>
2009-12-10T10:41:29Z2009-12-10T10:41:29Ztag:www.schneier.com,2009:/blog//2.3158-comment:402375Comment from gattaca on 2009-12-10gattaca
@Clive: my best wishes and get well soon too (and regarding the nurses: not one with a short skirt, long legs and bedroom eyes for you? I will write santa with this wish for you :-)

big IT projects are a constant failure. this is system inherent. Call for bids have clauses that only big companies can fulfill (insurance costs, manpower requirement etc.) and the bid with the lowest number wins (or with the most influence - talk ex-politcians on their board). The list is looong: in germany recent examples are the road charge system (even the contracts are confidential - but wikileaks published them now) which was late for several years and did cost hundrets of millions more than expected. the digital emergency service radio is still not implemented (several millions in euro and several years out of schedule) and so on.
Latest attempt: a digital health insurance card with a chip: complete failure. after ~400mio EUR it is now stalled. But this is good - the thought of a single database with every health record of everybody is a security and privacy nightmare.
Sometimes it seems the only thing preventing the quick erosion of society towards an orwellian regime is the incompetence of the major participants.
Lucky us.

"Otherwise, all that you can prove, is that you are the person who also did another thing (such as "I am the person who applied for this passport")."

Nice - I see you understand step 1 of the problem (you'll never make a politician ;)

Which is the point Stella Rimington made several years ago.

Now for step 2,

We know these systems are (from independent evaluations) going to cost the tax payer ~500USD/person. For a Nation of 300million that's 150,000,000,000 USD.

The world population is ~6,000,000,000 and more would have to be done. One etimate I've seen puts that at ~1000USD/person or 6,000,000,000,000 USD.

Perform a ROI calculation for the US and the World to show what this investment is going to return and over what period...

Try and find any other project of comparable size that has come in budget and delivered on the requirments spec.

Then ask OK what's in it for the Joe Average, who is going to pay for it.

Oh and the last question in these days of financial restraint. Projects a lot smaller than this need to become "profit centers" ask how the Gov can break even let alone make a profit on the anual runing costs...

Be afraid, be very afraid.

]]>
2009-12-10T05:35:16Z2009-12-10T05:35:16Ztag:www.schneier.com,2009:/blog//2.3158-comment:402344Comment from Steve Parker on 2009-12-09Steve Parkerhttp://steve-parker.org/
Unless you mark all babies at the moment of birth, you can never have a secure ID system.

Even then, you have to ensure that trusted midwifes are present at every birth, be it in a hospital, at home, at the roadside...

Otherwise, all that you can prove, is that you are the person who also did another thing (such as "I am the person who applied for this passport").

"What use are sophisticated passports with RFID and biometric data and so on, if the manufacturer is owned by someone whose main interest is ROI and not public safety?"

I've yet to see any worthwhile argument (plenty of Political gas though) that any identity document will act as a constraint on a person who wishes to kill them selves for a political cause.

The argument that "it keeps them out of the country" is jingoistic nonsance. Nearly all bombers in the UK for the past 100 years or so (and there have been many) where born in this country or one of it's "domain" and are thus entitled to legitimate doccuments of entry and residence.

Likewise I've seen no convincing argument that it will stop "illegal immigrants" or the "black economy". In fact most of the convincing arguments suggest that in fact it will aid both as it represents a single point of weakness.

Likewise there is absolutly no evidence that the UK Gov can actually build the systems required. What was the worlds largest IT Contract the NHS IT centralised system has been a compleate and unmitigated disaster (just like Russian Central planning, no wonder we call them IT Czars ;)

Further evidence abounds that there is considerably more fraud and theft involved with UK Gov IT projects than in equivalent projects in the private sector.

And contary to what we are led to belive the rate of pay in the UK civil service is often actualy better for "proffesional" white collar activities than in the private sector (and that's basic pay before you take their pension scheams into account as well).

Anyway I must resist the urge to "pig stick" UK Gov (it's not realy on topic).

What is known is that something over 75% of ICT contracts issued by UK Gov are not just failures but also "give away" intelectual property rights and have unreasonable escape clauses for those providing the failing systems (have a shufty at the UK Computer World for a run down on just how bad these systems realy are).

We do not need a national ID card we do not need bio-metrics and we do not need the banks conning politicians into such systems just to externalise their liabilities under money laundering legislation.

(The nurses in this hospital are not quite as nice as the one I mentioned befor 8(

]]>
2009-12-09T22:18:50Z2009-12-09T22:18:50Ztag:www.schneier.com,2009:/blog//2.3158-comment:402312Comment from anonymous on 2009-12-09anonymous
The story isn't that surprising. Criminals get passports under an alias all the time.]]>
2009-12-09T21:21:48Z2009-12-09T21:21:48Ztag:www.schneier.com,2009:/blog//2.3158-comment:402268Comment from gattaca on 2009-12-09gattaca
@Paul: why emberrassment? You just moved into town.
Never heard of such a policy here in germany though. Of course there is the status of a bailsman but this is afaik only for financial toppics...]]>
2009-12-09T14:56:16Z2009-12-09T14:56:16Ztag:www.schneier.com,2009:/blog//2.3158-comment:402267Comment from paul on 2009-12-09paulhttp://alltoosimple.wordpress.com
Another problem with a system based on a individuals who supposedly know the person in question: it means that people who keep mostly to themselves and/or move on a regular basis can't get ID. I still remember my embarrassment some years back when I applied for a library card in the town we'd just moved to. In addition to everything else, there was a line on the form for the name of someone in the community who knew me and would vouch for my book-returning intentions. Boss? Freelance. Doctor? Didn't have one yet. Minister? Not a churchgoer. And so forth.]]>
2009-12-09T14:52:18Z2009-12-09T14:52:18Ztag:www.schneier.com,2009:/blog//2.3158-comment:402265Comment from Zaphod on 2009-12-09Zaphod
@Clive

Off topic: Hope you get well soon!

Z.

]]>
2009-12-09T14:20:47Z2009-12-09T14:20:47Ztag:www.schneier.com,2009:/blog//2.3158-comment:402264Comment from gattaca on 2009-12-09gattaca
@Clive - no, i'm very conservative in showing my ID to anyone. ;-) It even annoys me if they ask for ID when paying with EC. Token (card) and knowledge (PIN) should be enough...

We have in germany some equivalent to Capita - its called Bundesdruckerei ("federal print office"). This was in former times a state-owned print office responsible for printing all passports and driving licences and so on. It was decided to sell it "to the market and reduce costs while keeping the high quality standards". Nice move. Private data in the hand of a company with sharholder interests in mind and not public service. Turns out, they poorly managed the print office and needed some offical boost - along comes the interior minister and announces the need for new biometric data and RFID in passports and the exchange of the old ones. The newer ones are significantly more expensive. A sure thing for the monopolist on the market. After his term this minister (Otto Schily) switches sides and is now on the board of a company involved with RFID in passports for the monopolist. Final joke: the government is now considering to buy Bundesdruckerei back (fear of technology transfer).

What use are sophisticated passports with RFID and biometric data and so on, if the manufacturer is owned by someone whose main interest is ROI and not public safety?

]]>
2009-12-09T14:14:16Z2009-12-09T14:14:16Ztag:www.schneier.com,2009:/blog//2.3158-comment:402259Comment from Roger on 2009-12-09Roger
@Zebee :
> Australian Passports: from passports.gov.au

> "Copies or extracts of a birth certificate are not acceptable. If born in Australia, an original full birth certificate issued by a state or territory Registrar of Births, Deaths and Marriages must be presented"

> You also need a combination of other documents, one of which can be a birth card. But a birth card and a credit card are not sufficient.

Sorry, you are right; in my haste I somehow skipped section one, which requires either a birth certificate, citizenship certificate, or previous passport. I was only looking at section 2 (from the same site) which reads:

"2. You will need to provide one of the following three combinations of original documents that support your identity:
...
Combination 1

* One document from category A
and
* One document from category B "

Category A includes 4 types of documents (two of them only acceptable when applying from overseas, bizarrely), one of which is: "Birth card issued by an Australian Registrar of Births, Deaths and Marriages (this is not a birth certificate)"
Category B includes 8 types of documents (four of them only acceptable overseas), one of which is: "Credit card or bank account card"

(A "birth card" is a document issued, so far as I am aware, only in NSW (the most populous state) up until late last year, when issuance was discontinued (but issued birth cards remain valid until their expiry dates.) Except that it is credit card size and has an expiry date on it, it is *exactly* the same as birth certificate extract. I don't know why they were discontinued but rumour has it that it is because they were easily and widely forged by under-age teens trying to sneak into pubs and nightclubs.)

So mea culpa: the minimum appears to be birth certificate or citizenship certificate, extract, and credit card, or any of several approximate equivalents (some of which are arguably even weaker.) At any rate, my point stands: this is vastly less paperwork than I had to come up with ~10 years ago. I don't recall the exact details but seem to remember something like the "100 points" system where each document was worth a certain number of points, and you had to reach at least 100 points total, except that you also had to provide one of a small set of "primary documents" (like the section 1 in this system), which couldn't count as any of your points. At any rate I definitely recall that I ended up with a dozen or so documents in a manila folder, not two pocket-sized slips of paper.

Your 3:31 and my 3:23 are so similar people will think one or both of us is a sock pupet ;)

So can I check your ID please? (Just joking 8)

@ Fred Blotz,

"Speaking of documents, it looks like TSA lacks the ability to properly redact documents. Both DHS and TSA are in full damage control mode."

Would you like to enlarge on that a bit?

In my mind I smell something juicy every time I see "redact" and a government agency name.

And like Pavlov's dog I start to slaver at the sound of that particular bell 8)

Ah well time to find out if the Quacks are deciding to add yet another unit of somebody elses DNA (and god alone knows what else) into my system so I can get enough oxygen around the system to stand up without fainting 8(

]]>
2009-12-09T11:08:13Z2009-12-09T11:08:13Ztag:www.schneier.com,2009:/blog//2.3158-comment:402256Comment from hwKeitel on 2009-12-09hwKeitel
here are a lot of people arguing the pro and contra of IDs. in germany we have the Personalausweis (first time with age 16). you need it if you want to by beer or cigarettes (and look too young), sometimes the postman wants to see it, of course when you get your driving licence, and some public authorities. but to be true, the most of the time i don't need it. no policeman ever asked for the ID, maybe i'm too honest (no bar fights;)
i can't remember if i needed anything like a birth certificate when i got my first ID. but here in germany the people are registered in a local registration office.
IDs are helpful for police etc., but IDs are not a magic bullet.]]>
2009-12-09T10:59:25Z2009-12-09T10:59:25Ztag:www.schneier.com,2009:/blog//2.3158-comment:402254Comment from Clive Robinson on 2009-12-09Clive Robinson
@ gattaca,

"missing security or society on the list? me too"

That and our elected officials who vote for this waste...

In the UK one of the largest potential biders for work on this UK ID scheam is Capita (also known as Crapita by those who have been unfortunate to come into contact with them).

It is known that one of their directors made a "personal donation" into the current incumbrants part political funds.

Also it appears that many civil senior civil servants and ministers have been "wined and dined" by Capita and other companies and their lobbying groups. Also that contary to the Civil Service and Ministerial rules both civil servants and ministers have "jumped ship" into lucrative executive positions with these organisations.

But that's ok because there cannot be any question of impropriaty with our "snouts in the trough" politicians and their gravy train brothers in the civil service.

After all what are a few votes worth to a politician who knows that their chance of being re-elected is vanishing to nothing.

Just about every political foundation stone to prevent impropriaty in office in the UK that somebody looks under appears to be floating on a sea of sleaze...

Ever had the fealing we are "being played for mugs" by inept "con men" "feathering their own nests" "at our expense" and the system is such we cannot get rid of them.

I'd better stop or I'll get the "off topic" "yellow card" from the moderator.

]]>
2009-12-09T10:38:13Z2009-12-09T10:38:13Ztag:www.schneier.com,2009:/blog//2.3158-comment:402249Comment from averros on 2009-12-09averros
Why exactly lying about one's own name to Autoritah is an offence? Cops and politicos are lying all the time. It's fair to allow mere people to do the same.

I'd think easily forgeable passports are better than hard-to-forge ones. Simply because they make our masters less powerful, and leave a way to escape from them in an emergency. Like when they decide they want to get you because you opened your mouth and said something they didn't like.

Security is not value-free. Good security may be seriously morally bad. Security of passports is one such case.

]]>
2009-12-09T09:56:44Z2009-12-09T09:56:44Ztag:www.schneier.com,2009:/blog//2.3158-comment:402247Comment from gattaca on 2009-12-09gattaca
@Clive "who gains by this huge waste of tax payers money?"
that is easy: the manufacturers of the infrastructure (scanner, databases and so on), agencies (new databases are always on theri wishlist), potential surpressors (the more data about an individual the better to control the individual)

missing security or society on the list? me too

]]>
2009-12-09T09:45:26Z2009-12-09T09:45:26Ztag:www.schneier.com,2009:/blog//2.3158-comment:402246Comment from gattaca on 2009-12-09gattaca
it is not possible to have 100% identification. It can always only rely on the context and therefore one can forge the context (fake friends, refrences) or input data (tempered fingerprints, bribery etc).
Using DNA or lifelong IDs looks tempting - but is it worth the overall costs? How about the presumption of innocence in case DNA was found somewhere and the database spits our your name? How about forged DNA-samples (http://www.wrongfulconvictionlawsuitdefense.com/tags/dan-frumkin/) ? And what about the potential value of the collected data? If a valid adress with name and age and email and profession is worth 5$ on the grey market for spammers and scammers - how much is the DNA profile? What could a whole database get the seller? How about political changes - do we know, that society will be the same in 40years? What if it turns toward fascism - only with our data still in the dictators hands? There are still old people around in europe who have seen an emperor, a failing republic, a fascist dictatorship, a failed socialist state and now a capitalistic society. All in one country, all in one lifetime, including several changes in currency.
It may save your life someday to be able to throw away your passport and start anew. Bureaucracy should never be perfect - because society itself is not. ]]>
2009-12-09T09:31:17Z2009-12-09T09:31:17Ztag:www.schneier.com,2009:/blog//2.3158-comment:402245Comment from Clive Robinson on 2009-12-09Clive Robinson
@ Marc W,

"I don't know if this has been suggested or not, but couldn't the solution to generating a "proper ID" simply be to have an ID number / Government "Official name" that was simply (for lack of a better description) a one-way hash function of one's DNA (or some other unique biomarker that doesn't change over time)?"

Although sounding very simple and seductivly appealing, for a whole host of reasons that is a bad collection of ideas.

Not that, that fact has stopped people chasing a "pipe dream" to do it (UK Gov), and are thus imposing the rewards of their stupidity on others (UK populace) as fast as they can.

What you are essentialy saying is,

1, One ID only
2, The ID is non refutable
3, The ID is thus assumed to be non forgable.
4, The ID is thus assumed to be the signiture of all your actions.

Problem 1 - "one ID" is a bad idea for many reasons,

The first is that we just do not run our lives that way we have multiple unrelated roles and society at a very fundemental level demands that we remain that way for our safety and sanity likewise for those around us.

The second is it will become like the insecure and very unfunny joke that is the US SSN (or UK NI Number or other countries equivlent).

I could give you further details as to why ad nausium but that would be well off topic (and if Bruce is running true to form it will be todays or tomorows Op Ed or very soon :)

Problem 2 - a "non refutable ID" is a disaster waiting to happen.

Firstly it would act as an "eternal prison sentance" even for those that had done no wrong.

The classic example is the UK child support agency with what is effectivly "retrospective legislation". Essentialy it is turning people into criminals for not commiting a crime and in return is causing major social disruption and lost income to the country. Rather than admit the whole idea was compleatly stupid from start to finish the UK Gov is activly seeking to make it worse. They do not seem to have learnt the lessons of the "Poll Tax Riots".

Further the UK Gov are implementing the "childrens DB" where any "official idiot" can add what they feel about a child or their home circumstances without any kind of evidence. Neither the child or their parents have the right to see this and thus have no right to refute. The plan for this DB is to make it available to interested parties for the rest of a persons life. Interested being potential employers, potential creditors, courts, local council busy bodies, etc etc. Thus it will very likely end up in private DBs in other parts of the world where you have absolutly no control over it.

Problem 3 - the incorrect idea that because something appears "irefutable" it must be true, thus forgary is not possible.

DNA is an unreliable identifier I currently have atleast four peoples DNA sloshing around inside of me. Further it appears that a bone marrow transplant can perminantly change your DNA. As time goes on and if "stem cell" research goes the way many hope then your fundemental DNA could end up being somebody elses.

As far as we can tell there is no "readily available" bio-metric that cannot be altered either temporarily or perminently if people are crazy enough to undergo the required surgury. As for non "readily available" I'm not happy about having a brain or spinal biopsy just to please some "officialy designated idiot".

Then there is the issue of collection and duplication of DNA. We leave DNA just about where every we go as skin cells, hair, mucouse and a whole host of other bodily fluids etc. Thus your DNA is a matter of being publicaly available to use for forgary by any individual that choses to pick it up...

As evidence collection has shown Bio-ID is not exactly a reliable identifier of very much (just that the object that your Bio-ID is on is at a particular place in time, without explination as to how it got there).

Problem 4 - then there is the problem of how do you reliably link any ID to an action or object?

Short of signing in your (unreliable) blood how do you propose to link the two together?

Any other system is as we know open to trivial levels of abuse such as a change to a DB record.

As I said further up "we are who we say we are" and fundementaly there is not much else that can be done about it.

Spending any amount of money on trying to change this is a provable waste of resorces and effort.

Which begs the question who gains by this huge waste of tax payers money?

]]>
2009-12-09T09:23:07Z2009-12-09T09:23:07Ztag:www.schneier.com,2009:/blog//2.3158-comment:402233Comment from Jason R. Coombs on 2009-12-08Jason R. Coombshttp://www.jaraco.com
"No credential can be more secure than its breeder documents and issuance procedures."

Couldn't a credential increase in security over time, if for example, it was periodically signed by trusted parties or otherwise had a way to represent the _reputation_ of the holder?

I believe the solution is not to find a document that ultimately identifies an individual, but rather find a way to capture the aggregate reputation over time - much like the credit card agencies do for financial reputation.

In my opinion, such a system would best be served by a decentralized but regulated system.

]]>
2009-12-09T04:46:57Z2009-12-09T04:46:57Ztag:www.schneier.com,2009:/blog//2.3158-comment:402228Comment from Marc W. on 2009-12-08Marc W.
Granted I'm not in the security business, and I don't know if this has been suggested or not, but couldn't the solution to generating a "proper ID" simply be to have an ID number / Government "Official name" that was simply (for lack of a better description) a one-way hash function of one's DNA (or some other unique biomarker that doesn't change over time)?

It would be readily verifiable, and difficult for another to forge. Applying for an ID card wouldn't require any previous documents, and checking for a fake ID card would be equally simple for anyone who cared to do a fingerstick, etc. Perhaps identical twins might prove troublesome, and granted this would need some modifications to make it time effective for an ID check, but I'm sure there are some clever people out there who might make it work...

]]>
2009-12-09T01:58:16Z2009-12-09T01:58:16Ztag:www.schneier.com,2009:/blog//2.3158-comment:402225Comment from Fred Blotz on 2009-12-08Fred Blotz
Speaking of documents, it looks like TSA lacks the ability to properly redact documents. Both DHS and TSA are in full damage control mode.]]>
2009-12-09T01:40:39Z2009-12-09T01:40:39Ztag:www.schneier.com,2009:/blog//2.3158-comment:402223Comment from Peter E Retep on 2009-12-08Peter E Retep
re: clive r:

Just so. My grandfather knew Fritjof Nansen
who created the Nansen Passport for 'Stateless Persons' after WWI,
and I have had students in the last few years
who are travelling on a Nansen Passport.

Further, during the worst days of the Cold War,
it was routine for U.S. Journalists visiting ghostile countries
(absent good working relationships with the U.S.)
to secure and travel on Canadian Passports,
because Her Majesty's government had a far better record of rescuing subjects,
before allowing Cold War diplomacy to supercede.

Before that, also, my swimming coach was issued a Canadian Passport
to become a Royal Navy Frogman [trainer] before 1941,
and my best friend's father was issued a Chinese passport
to enable him to fly fighter aircraft from ChunKing.

Sorry I didn't make it clear. I'm not saying that the passport is fake or that I'm using a fake name etc.

The point I was making is that a passport is only a document of entry into the country that issued it (and possibly of residence).

A country can issue a passport to a citizen of any other country it see's fit to do so (some countries such as Turks&Cacos and Belize do this).

It's just that the passport "appears" to most people to say you are a citizen of that country when you are actualy not.

As I said earlier the French used to issue passports to members of the Forign Legion who had served their time, in any name that they wished no questions asked.

Further if you have dual nationality you are not commiting an offence (as far as I am aware) by changing your legal name in one of those countries but not the other.

The real point is that your name your nationality the countries you can live in are all fairly arbitary, all other countries can reasonably do is refuse you entry.

We have to decide if this is a problem or not (and I think on the whole not) and what we want to do about it before we waste billions of dollars etc on a pointless system, that does not achive anything nor can prevent anything.

Those are some interesting paradoxes, but often mean little in practice for citizens of many countries. gopi's mention of "non-specific laws" reveals why: most governments give themselves more authority than they actually have and since the whole checks and balances scheme is in the government itself, they will often get away with it. Small countries will often not fight big ones like the US over petty trials or actions, esp. if US threatens them to coerce submissiveness. (Caribbean tax havens come to mind)

For example, lets say Britain gets tired of people having privacy and freedom via Sealand passports. They'll likely just not recognize Sealand's sovreignty and interpret relevant passport laws as they see fit. In the United States, people have almost no rights whatsoever: the US government routinely ignores international treaties, declares citizens "enemy combatants" (stripping rights away) and abuses legislative powers to give itself more power. I don't see an obscure legal argument holding up when they jail you and freeze your assets, then reserve the right to discount evidence that back you up. Britain is hardly better on this regard, esp. if taxes, drugs or terrorism are mentioned. So, these things make nice food for thought but their effectiveness is uncommon in the real world.

]]>
2009-12-08T23:06:56Z2009-12-08T23:06:56Ztag:www.schneier.com,2009:/blog//2.3158-comment:402211Comment from gopi on 2009-12-08gopi
@Clive: Country B probably has a "lying when you try to get in" law.

A letter saying I've been offered a job has no formal legal recognition, but if I used a fake one to get a loan or something I'm pretty sure I'd be in trouble for fraud and/or forgery and/or acquiring something or other through false pretenses.

Just a guess, but: I'll bet that there are some variations on what you describe that would fall through the cracks. However, I'm also going to bet that there are enough non-specific laws about inaccurate or misleading documents or statements.

]]>
2009-12-08T22:32:50Z2009-12-08T22:32:50Ztag:www.schneier.com,2009:/blog//2.3158-comment:402210Comment from Clive Robinson on 2009-12-08Clive Robinson
By the way the UK national ID Card system (nee universal benifit card) is a political fudge that various civil servants have been trying to push down the throats of UK residents for years.

The two things that got it off the shelf this time was the Banks winging about EU money laundering laws

And the fact it "looks sexy" to idiots that don't know any better.

As Stella Rimington (previous head of MI) observed it will not nor can it prove identity or any other status about an individual.

Oh and by the way you can issue your own passport as has been proved by "Sealand" and it is perfectly acceptable legaly...

The law in the UK was at one point in time quite simple "you are who you say you are" it is not a crime unless you are trying to gain "advantage" by it.

As regards passports open the front cover and read what it says inside.

In the UK Passport it says,

"Her Britanic Majesty's Secretary of State Requests and requires in the Name of Her Majesty all those whom it may concern to allow the bearer to pass freely without let or hindrance, and to afford the bearer such assistance and protection as maybe necessary"

Have a think about it, it is a document of passage not of identity. Originaly passports where pieces of paper actually signed by a government minister. I have one that belonged to my father that was issued during WWII all it has on it as way of identification is his name.
A further clue is the wonderfull bit,

"Her Britanic Majesty's Secretary of State Requests and requires..."

Her Majesty's "writ" only applies to her "domain".

Hence the "request" for outside her domain and "requires" for inside her domain.

So it is actually only a document of substance when entering or in Her Majestys domain and nowhere else...

I think you will find the equivalent in most passports.

Thus you have an interesting paradox. If I have a passport for country A and I'm actually from country C and I present it country B have I actually commited a crime?

The document has no legal status in country B (unless it choses to recognise it as such) and the only country it has legal status in A I'm not using it in, nor am I from country A so it has no legal binding on me as I'm not a citizen of country A so do not fall under it's extra teratorial juresdiction.

Such is the fun of such things, the law on such things appears to be a fudge of treaties often based around extradition.

Oh then there are the legaly "displaced persons" who for whatever reason are not citizens of any country...

The whole thing is a fudge worked out during the last century originaly as an attempt to control spying...

]]>
2009-12-08T22:15:16Z2009-12-08T22:15:16Ztag:www.schneier.com,2009:/blog//2.3158-comment:402207Comment from AndrewDover on 2009-12-08AndrewDover
Steve Prontic,
Good irony. In addition, Real ID is not even electronically verifiable. So it might be easier to make a fake rather than apply under a false name.

Sen. Tom Udall (D-NM): As you know, more than 30 states including New Mexico are unlikely to meet the December 31st deadline to become materially compliant with the Real ID Act of 2005.
....
Will you commit now to extending the deadline for compliance with Real ID if Congress has not addressed the issue by December 31st?

Sec. Napolitano: Well, Senator, thank you, and yes, I -- here is the problem. Congress passed Real ID as a footnote in an appropriations bill and that did not have the benefit of hearings nor consultation with the states, which caused vast revolt among the states of which Arizona was one, and so we went and worked with the governors on a bipartisan basis to fix Real ID and that gave birth to a piece of legislation known as Pass ID. It has been through committee. It's been marked up. It is ready for floor action. It deals with a lot of the issues that -- it solves the governors' problems with Real ID.

I would -- before I get to the question of extensions, one of the reasons we had Real ID and now Pass ID is because the 9/11 commission had a recommendation that we improve the security quality of driver's licenses, and because Real ID has been rejected by the states just by granting extension after extension after extension we're not getting to the pathway to have more secure driver's licenses. Pass ID helps us meet the 9/11 commission recommendations and at the same time addresses issues that were legitimately raised by the states. And so what I would prefer to urge the Senate to do and use the -- this hearing as an opportunity to really urge it to do is to move to floor action and move Pass ID through so we can get it over to the House. I think it could go very quickly over there and we could solve this issue, as opposed to extension after extension, which not only doesn't deal with the 9/11 commission recommendation but it's just another year of uncertainty.

Sen. Udall: Yeah. Well, as you are probably aware, the situation that we're in now -- we have health care on the floor -- where if tried to move to anything else I think it would make it much more difficult procedurally. So I think if -- I don't see us getting to Pass ID on the Senate floor between now and the end of the year. So I think it would be very helpful for you to issue a statement -- you might use this as an opportunity to do it -- to assure people that after December 31st they will be able to travel with something other than a passport. I don't know if you want to do that at this point but if you decline that's fine.

Sec. Napolitano: I think I will not accept that invitation at this point in time.

Nice counterpoint. No need to "hate to disagree" with me on that one: my message was focused on how birth certificates don't prove identity, merely focusing on a birth happening. I wasn't really thinking hard when I wrote that they "prove birth." Oops...

]]>
2009-12-08T21:48:24Z2009-12-08T21:48:24Ztag:www.schneier.com,2009:/blog//2.3158-comment:402204Comment from AndrewDover on 2009-12-08AndrewDover
Real ID is not even electronically verifiable. So it probably would be easier to make a fake rather than apply under a false name.]]>
2009-12-08T21:48:24Z2009-12-08T21:48:24Ztag:www.schneier.com,2009:/blog//2.3158-comment:402202Comment from Clive Robinson on 2009-12-08Clive Robinson
@ JonS,

"Is it really fraud though? It's her fingers on her body, and presumably she can do pretty much whatever she wants with them."

Yes and no...

No :- I suspect there is no crime of "biometric fraud" on the statute books (I could be wrong though)

Yes :- it is fraud but not by the way you are thinking.

Depending where you are fraud is oftend defined as "knowingly gaining an advantage by deception".

She knowingly said she was someone who she was not (deception), and therby gained (an advantage of) entry into Japan that she knew she was not entitled to.

So yes fraud plain and simple, I suspect that calling it "biometric fraud" is "journolistic sexing up".

]]>
2009-12-08T21:41:03Z2009-12-08T21:41:03Ztag:www.schneier.com,2009:/blog//2.3158-comment:402201Comment from Zebee on 2009-12-08Zebee
Australian Passports: from passports.gov.au

"Copies or extracts of a birth certificate are not acceptable. If born in Australia, an original full birth certificate issued by a state or territory Registrar of Births, Deaths and Marriages must be presented"

You also need a combination of other documents, one of which can be a birth card. But a birth card and a credit card are not sufficient.

When I got my passport last year the central document was my driver's licence. That's all I needed to get my birth certificate (although I did need to know the "city" I was born in and I seem to recall they wanted the suburb Subiaco, not the city Perth) and it's a major part of getting the passport. But to get the birth certificate I faxed a copy of the driver's licence! A halfway decent forgery should cope with that.

What isn't at all clear is if any of this is checked. Does the registrar in Perth check with NSW if that licence is valid? Plus you can bet that it's a low paid low ranked public servant doing the work, a bit of bribery shouldn't be too hard in one department or another.

The guarantor just has to be on the electoral roll and "known" me for a year. That is probably the weakest part.

"I agree with the previous posters' complaints on birth certificates: they only prove birth."

I hate to disagree with you but no it does not prove birth.

All it proves is an entry was made in the register on date X and it contains a statment that at some point prior to that a "birth was said to have happened".

Let me explain...

As a woman who has a house in say France and a house in say Belgium. You decide you want to work the system.

You register with two doctors one in France and one in Belgium.

You keep visiting each one all through your pregnancy.

You then have your baby out of hospital close to the border. You then visit both doctors to be medicaly examined and have the birth recorded medicaly.

You then go with the documents to get the birth registered in both countries.

Now your child is both French and Belgium...

This works because the birth registrar gets a record that the birth has been medicaly registered but the doctor does not have to have attended the actual birth.

Unless somebody gets suspicious then you get away with it...

]]>
2009-12-08T21:30:34Z2009-12-08T21:30:34Ztag:www.schneier.com,2009:/blog//2.3158-comment:402199Comment from Steve Prontic on 2009-12-08Steve Prontic
"No credential can be more secure than its breeder documents and issuance procedures."

We need Real ID!! That will make the driver's license secure and we'll all live happily ever after.

]]>
2009-12-08T21:25:14Z2009-12-08T21:25:14Ztag:www.schneier.com,2009:/blog//2.3158-comment:402198Comment from JonS on 2009-12-08JonS
"Japan's first case of alleged biometric fraud"

Is it really fraud though? It's her fingers on her body, and presumably she can do pretty much whatever she wants with them.

If the system is so fragile that it depends on no one ever changing their appearance, the system is flawed, no? There are plenty of other ways that a fingerprint might get corrupted - heavy manual work, fire, acid, amputation, etc. Swapping digit prints might be seen as an extreme form of body art, or a political statment, or ... meh, whatever. Granted that *I* wouldn't chose to do it, and also granted that the most probable explanation is an attempt to subvert border controls, but I still think that's hardly a case for labelling it fraud.

Jon

]]>
2009-12-08T21:18:22Z2009-12-08T21:18:22Ztag:www.schneier.com,2009:/blog//2.3158-comment:402193Comment from Roger on 2009-12-08Roger
I was about to write in to disagree with people criticising the system of "guarantors" -- professionals who certify that they have known the applicant's identity for N years. It has a lot of advantages over the "document bootstrapping" method, including that it is simultaneously more equitable, cheaper, *and* more difficult to suborn if done properly.

However on looking up the current rules I see that the system here in Australia has indeed been seriously weakened since I last applied ~10 years ago. It's OK to broaden the list of allowed guarantors so long as they have 4 simple properties:
1. They know members of the community through their professional relationships, rather than personally;
2. They are themselves definitely identifiable within the community, so they can be easily located if an investigation is required;
3. The cost to their professional career from fraudulently certifying the document greatly outweighs the potential benefits; and
4. The nature of the profession means the person is bright enough to understand point 3.
There are indeed many, many professions which qualify in this way, including chiropodists and airline pilots -- although perhaps not journalists. However in Australia the new rules seem to allow many people who meet *none* of these requirements, and at the same time reduced from 5 years to 1 year the period for which they certify you have been using that name.

Oh, boy. I just looked at the documentation requirements, and they too seem to have been massively weakened since I last applied, when I needed a manila folder to carry everything. You can now apply for an Australian passport with just a "birth card" (certificate extract) plus a credit card!

]]>
2009-12-08T20:45:17Z2009-12-08T20:45:17Ztag:www.schneier.com,2009:/blog//2.3158-comment:402192Comment from Justme on 2009-12-08Justme
Require and obtain DNA at birth. Require and obtain DNA from anyone getting any form of any new government issued ID or employment (including employees of those contracting/receiving federal funds). Deny entry to anyone who does not have such a record. Anyone internal without such a record is obstructed from any form of travel (govt owns the roads and subsidizes the skys), medical attention, government aid, etc. until such time that the record can be created....

Sounds like a fun future.. Oh wait, they already started. My bad.

]]>
2009-12-08T20:40:54Z2009-12-08T20:40:54Ztag:www.schneier.com,2009:/blog//2.3158-comment:402188Comment from Nick P on 2009-12-08Nick P
I agree with the previous posters' complaints on birth certificates: they only prove birth. We'd need to get some biometric data on the infant as soon as he or she was cleaned up and that data (e.g. fingerprint) mustn't change as it ages, or false positives/neg.'s slip through.

I guess a temporary solution would be applying the web of trust approach to a centralized database. Essentially, we would act like we were just issuing biometric authentication credentials, but not actually identifying. As more identity proofs were used, they'd be added to the database. That person's trust factor would increase. At the same time, the measures for getting and validating the other identity documents could be strengthened.

Honestly, though, I'm grasping at straws here. In a country like USA, nothing immediately comes to mind that would solve our identity problems. There's just too much to be gained by too many people in remaining unidentifiable. And many in power like this to a degree, like the influx of cheap, exploitable labor. If they did do national identity scheme, that would be severely impacted right off the bat. They'd have to pass a guest worker program immediately or begin shipping folks out. This issue is just one negative economic side effect of positive national ID. Add the privacy issues and, again, it's hard for me to see a way for it to happen & be trustworthy.

]]>
2009-12-08T20:13:05Z2009-12-08T20:13:05Ztag:www.schneier.com,2009:/blog//2.3158-comment:402185Comment from Nomen Publicus on 2009-12-08Nomen Publicus
Last week the UK government started issuing UK ID cards to volunteers in the Greater Manchester area. There are about 2.5 million people in the area and about 1000 had previously signed up as interested in obtaining an ID card. A government minister admitted that there were currently less than 700 people in the ID database (the total UK population is about 60 million.)

You have to apply in person, and provide some evidence of ID (such as a passport!) If you pass whatever tests they think appropriate in the interview, photographs and fingerprints are taken. You then have to provide answers to five out of 20 questions. Questions such as "Favourite pet?", "Best subject in school" etc. All questions that are probably answered on the applicants FaceBook page :-)

So, not only do you have to travel some distance to the interview, you ideally need an existing passport. Your shiny new ID card will cost you about £30 ($50) and the only thing you can do with it is travel within the EU without a passport (which you probably have anyway.) It is now your responsibility to keep the card details up to date with fines in the range of £1000 ($1500) for each offence.

Oh, and there is a vast computer database costing billions.

Obviously nothing there could possibly go wrong...

]]>
2009-12-08T20:06:24Z2009-12-08T20:06:24Ztag:www.schneier.com,2009:/blog//2.3158-comment:402181Comment from Robert on 2009-12-08Roberthttp://www.linkedin.com/in/rgraham02
The best you can really hope for is that you stipulate: if you select an identity, you have to stick with it. To a certain extent, when you consider juvenile legality etc, it doesn't matter if your parents christened you Jim Clarke and you wish to conduct your life and business as Ahmed Rafsanijad. As long as this identity is maintained tied to all your activity across driver's license, state ID, and passport since the age of 16, 18, 21, or whatever. This isn't perfect, but then at least, the system only has to oversee that people maintain this identity and don't have multiples.]]>
2009-12-08T19:08:15Z2009-12-08T19:08:15Ztag:www.schneier.com,2009:/blog//2.3158-comment:402180Comment from Errmm on 2009-12-08Errmm
Having a member of a profession sign the passport photo worked in the 1950s but not today.
They recently expanded the 'professions' allowed - so chiropodists and airline pilots can now swear who you are, as can any religous minister, journalist or local counicllor (now there's a trustworthy bunch).

The computer system to check that the birth certificate copy you are supplying doesn't have a matching death certificate (the day of the jackal attack) is still delayed.

]]>
2009-12-08T18:42:55Z2009-12-08T18:42:55Ztag:www.schneier.com,2009:/blog//2.3158-comment:402179Comment from Nobody on 2009-12-08Nobody
>Northern Ireland
It's even funnier than that. Irish citizens don't need a passport or ID to enter Britain.
So when ID cards are made compulsory in Britain the only people not required to carry them will be that section of the Northern Ireland community that have, shall we say, strongly identified with the Irish republic !

In American terms thats rather like exempting only Shite Iraqi's from needing a Visa to enter the US!

]]>
2009-12-08T18:36:00Z2009-12-08T18:36:00Ztag:www.schneier.com,2009:/blog//2.3158-comment:402175Comment from Jim A. on 2009-12-08Jim A.
The problem with using seed documents is, at a theortical level, unsolvable. We keep trying to push it back as far as possible, but birth certificates aren't particularly secure, not everybody has one, and they don not provide any proof of identiy, just proof of birth. We want but can't have a system that proves "I am who I say I am." The best that we can do is a system that is persuasive proof that "I am the same person who claimed to be who I say I am at some time in the past." The sooner that national ID proponents and the public realize this, the sooner we can have a dialog on whether that second statement is worth the costs of programs that are intended to look like they prove the first statement.]]>
2009-12-08T17:27:46Z2009-12-08T17:27:46Ztag:www.schneier.com,2009:/blog//2.3158-comment:402174Comment from MarkH on 2009-12-08MarkH
@jackie,

"I realized after this is was possible to break bureau records"

You are onto something here - I learned this from a colleague who went on to become a world-class computer security analyst: if you can make a system crash, you (likely) can break its security. This concept surprised me: it wasn't intuitive, but I came to understand it.

When a system is capable of making gross errors (like losing the license record), such a flaw can be subverted by a fraudster.